Curiosity killed the cat: Checking the contents of a phishing email
Raise your hand if you ever got an email, from a company you never heard of which is probably too good to be true:
All of us get this emails on daily basis; We been told countless times not to click a link, not to open those emails and yet the stories of the victims just keep piling up.
So let me show you what I learned from a simple phishing email I got.
Warning, you are playing with matches
Before you decide to open this kind emails, I suggest you do the following:
- Run a mail client inside a virtual machine; If the email triggers an exploit on your mail client then damage will be contained
- Make sure you antivirus is running
- You have disabled macros and loading external images. Some clients like Thunderbird let you do that.
- Do not click on the links. Check the source and analyze the URL separately.
- If you get this inside your company email, forward this to your IT department. They are trained and they know what to do with this kind of emails and to warn others.
Social engineering 101: The weakest link
- Scammers prey on greed. You never heard of a company, a person and somehow you think you won a prize.
- They are aggressive: Some will claim they will shut down services, that you were caught doing something illegal or they need more information from you to correct a problem. Don’t fall for it.
OK, the above email is easy. No, I’m not getting a free grill but rather I’m getting the email headers for analysis…
Analyzing the email headers
The first odd thing about this email is than the email address on the “from “ field (wisemart.com) is different from the name of the company in the email; So if you visit https://wisemart.com (please don’t bother) you get this:
Let’s get serious. Parsing email headers can be a time consuming task, so with a little help of htoolbox.googleapps.com analyze header we can see a few more interesting things:
Surprisingly the email is mostly clean, except for the mangle subject (yes, another red flag). We got an interesting piece here, an IP address on the from field: 54.240.7.38
- Was this IP address compromised?
- Is this server being used to send malware?
Time to check that with abuseipdb:
So we know than the IP address has been probably used to launch attacks; even if the confidence level is low (10%), is not a good sign for this merchant.
One more red flag, the Domain-based Message Authentication Reporting & Conformance (DMARC) check also failed, which indicates spoofing.
What about the URL where you click to claim your reward? We can see the contents using CURL, which will not execute JavaScript:
[josevnz@dmaf5 malware]$ curl --output - 'https://storage.googleapis.com/sendgun-002/choko.html?p7P+F7bEUjsR0NlckP4N/emAOgl4/i5TTCQsgzlA3ktrW9r8CTPsu5jfurNW/rKIVb7Jx+3T4cVv5btbMEBVrNaWDm8iMn8OH9uUmsFPoScca5j0q3Xe0bO4bDHfmWQfqTbCDZCcpfnQFP/XmYQkinfaHXqEzAIwN2KVCcE5sfedNUtD0v0kICAjvoVPZW4hK9isOgsBa6Yo0hN9TxlsbK3awdv1aTEXVSZ9uwcNJNB0UiplXI05IsxsiZbZWw=='
<script>
window.location.replace(`https://wisermart.com/${window.location.href.split('?')[1]}`);Hmm, JavaScript opening yet another window. Not nice, I think I’m not getting this free grill 😜
If you don’t feel so adventurous then you may want to ask Virus Total to check it for you:
Conclusion
This not by far a full guide on how to protect yourself from phishing emails but rather to show you what I managed to confirm with a few commands.
There are a few links you may want to explore:
- Tools like RangeForce offer training to detect and handle phishing.
- A few common sense rules.
- More examples? Take a look at this.
The most important rule is the common sense rule; If is too go to be true then is not.
